Intelligent Authentication


Published on

This presentation created by Carole Gunst and Charley Chell from CA Technologies explains the value of combining both strong and risk-based authentication methods as part of an intelligent authentication solution. Learn more about CA Advanced Authentication at

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Intelligent Authentication

  1. 1. Intelligent Authentication  The Value of Combining Strong & Risk-based Authentication Carole Gunst and Charley Chell, CA Technologies
  2. 2. 2 © 2014 CA. All rights reserved. Business challenges  Protect user identity from online attacks – In 2013, there was a 91% increase in targeted attacks1 – In 2013, there was a 62% increase in data breaches1  Provide security for mobile devices – In 2008, the number of Internet-connected devices first outnumbered the human population.2  Comply with industry regulations – Sarbanes Oxley Act (SOX) – Health Insurance Portability and Accountability Act (HIPAA) – Federal Financial Institutions Examination Council (FFIEC) – Payment Card Industry (PCI) 1 2014 Internet Threat Security Report, Symantec 2 The Internet of Things Will Thrive by 2025, Pew Research, 2014
  3. 3. Strong Authentication
  4. 4. 4 © 2014 CA. All rights reserved. Challenges with traditional credentials  Passwords are weak • Susceptible to phishing • Often guessable • Can be reused • Available for sale  Questions & Answers are easy to figure out • Information becoming readily available  Hardware tokens • Easy to lose • Expensive to administer Top 10 Most Used Passwords of 2013 1. 123456 2. password 3. 12345678 4. qwerty 5. abc123 6. 123456789 7. 111111 8. 1234567 9. iloveyou 10.adobe123 Source: SplashData
  5. 5. 5 © 2014 CA. All rights reserved. You use strong authentication today
  6. 6. 6 © 2014 CA. All rights reserved. What is strong authentication? • Strong authentication is a method that makes it more difficult to impersonate an actual user because multiple disjointed information needs to be assembled in order to be successful. • Strong authentication is also called two-factor authentication or multi-factor authentication • Factors are commonly categorized as: Something you know (examples: password, PIN, Q&A) Something you have (examples: mobile phone, key fob) Something you are (examples: fingerprint, retina scan)
  7. 7. 7 © 2014 CA. All rights reserved. What (else) is strong authentication? There are a number of emerging categories as well: Where you are (example: IP or satellite geo-location) Who you know (example: social network) What you’re doing (example: behavioral profiling)
  8. 8. Risk-based Authentication
  9. 9. 9 © 2014 CA. All rights reserved. What is risk-based authentication? Risk-based authentication:  Judges whether the user is who they say they are  Determines the correct (or minimum) credential requirements based on assessment of the user and request in the context of the available history  Is typically is coupled with a portfolio of credentials
  10. 10. 10 © 2014 CA. ALL RIGHTS RESERVED. Risk-based authentication Context provides key data for judging identity Where is the user?  Is the location inherently suspect?  Is the connection consistent with device type?  Is the IP a known anonymizer? Which system or device is being used?  What kind of device is it?  Has this device been used before?  Has the device changed since it was last used? What is the user trying to do?  Is this a requested action?  Is the action inherently risky?  Have similar actions taken place before? Is behavior consistent?  Is this a normal time of day?  Is frequency of login abnormal?  Is current behavior consistent with prior behavior?
  11. 11. CA Advanced Authentication
  12. 12. 12 © 2014 CA. ALL RIGHTS RESERVED. CA Advanced Authentication Strong Authentication • Supports wide variety of credentials • Integrates with SAML, API, and RADIUS • Allows for OCRA standard transaction signing • Provides OOB authentication using one-time passwords (OTPs) delivered via text, voice, or e-mail • Integrates tightly with web-access management systems Risk-based Authentication • Assesses risk using DeviceDNA™ fingerprinting to identify devices • Captures and analyzes data in real time based on geo-location/velocity checks • Flags and reports on cases of suspicious activity using a policy-based system CA Advanced Authentication  Combines strong and risk-based authentication  Offers multi-channel protection  Secures on-premise, cloud and mobile applications
  13. 13. 13 © 2014 CA. All rights reserved. Advantages of strong, risk-based authentication together • Provides the appropriate credential for each time and place • Reduces potential for data breaches • Helps comply with industry regulations
  14. 14. 14 © 2014 CA. All rights reserved. CA positioned in Leaders’ Quadrant of Gartner 2013 Magic Quadrant for User Authentication* Gartner Research, “Magic Quadrant for User Authentication,” by Ant Allen, December 9, 2013. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from CA Technologies.
  15. 15. 15 © 2014 CA. All rights reserved. CA Technologies named a leader in the Forrester Wave™: Risk-Based Authentication, Q1 2012* * The Forrester Wave™: Risk-based Authentication, Q1 2012; Forrester Research, Inc.; February 22, 2012. The Forrester Wave is copyrighted by Forrester Research, Inc. Forrester and Forrester Wave are trademarks of Forrester Research, Inc. The Forrester Wave is a graphical representation of Forrester's call on a market and is plotted using a detailed spreadsheet with exposed scores, weightings, and comments. Forrester does not endorse any vendor, product, or service depicted in the Forrester Wave. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change.
  16. 16. 16 © 2014 CA. ALL RIGHTS RESERVED.
  17. 17. 17 © 2014 CA. All rights reserved. Legal Notice © CA 2014. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. This document is for your informational purposes only, and does not form any type of warranty.
  18. 18. @casecurity For more information